Support and prerequisites: DevOps security

This article summarizes support information for DevOps security capabilities in Microsoft Defender for Cloud.

DevOps security provides visibility into your DevOps environments, helping security teams discover misconfigurations, exposed secrets, and code vulnerabilities across repositories and CI/CD pipelines in Azure DevOps, GitHub, and GitLab.

Cloud and region support

DevOps security is available in the Azure commercial cloud, in these regions:

Asia (East Asia)
Australia (Australia East)
Canada (Canada Central)
Europe (West Europe, North Europe, Sweden Central)
UK (UK South)
US (East US, Central US)

DevOps platform support

DevOps security currently supports the following DevOps platforms:

Required permissions

DevOps security requires the following permissions:

Feature	Permissions
Connect DevOps environments to Defender for Cloud	Azure: Subscription Contributor or Security Admin Azure DevOps: Project Collection Administrator on target Organization GitHub: Organization Owner GitLab: Group Owner on target Group
Review security insights and findings	Security Reader
Configure pull request annotations	Subscription Contributor or Owner
Install the Microsoft Security DevOps extension in Azure DevOps	Azure DevOps Project Collection Administrator
Install the Microsoft Security DevOps action in GitHub	GitHub Write

Note

To avoid setting highly privileged permissions on a subscription for read access to DevOps security insights and findings, apply the Security Reader role on the resource group or connector scope.

Feature availability

DevOps security capabilities, such as code-to-cloud contextualization, security explorer, attack path analysis, and pull request annotations for Infrastructure-as-Code security findings, are available when you enable the paid Defender Cloud Security Posture Management (Defender CSPM) plan.

The following tables summarize the availability and prerequisites for each feature within the supported DevOps platforms:

Azure DevOps

Feature	Foundational CSPM	Defender CSPM	Prerequisites
Connect Azure DevOps repositories	Yes	Yes	See Azure DevOps onboarding prerequisites
Inventory of Azure DevOps resources	Yes	Yes	Azure DevOps connector
Security recommendations to fix DevOps environment misconfigurations	Yes	Yes	Azure DevOps connector
Security recommendations to fix code vulnerabilities	Yes	Yes	Agentless code scanning (preview) for agentless scans, or Microsoft Security DevOps extension for in-pipeline scans, or GitHub Advanced Security for Azure DevOps for CodeQL scans
Security recommendations to fix Infrastructure as Code (IaC) misconfigurations	Yes	Yes	Agentless code scanning (preview) for agentless scans, or Microsoft Security DevOps extension for in-pipeline scans
Security recommendations to discover exposed secrets	Yes	Yes	GitHub Advanced Security for Azure DevOps
Security recommendations to fix open source vulnerabilities	Yes	Yes	GitHub Advanced Security for Azure DevOps
Pull request annotations	No	Yes	See pull request annotations prerequisites
Code to cloud mapping for Containers	No	Yes	Microsoft Security DevOps extension
Code to cloud mapping for Infrastructure as Code (IaC) templates	No	Yes	Microsoft Security DevOps extension
Attack path analysis	No	Yes	Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP Connector in the same tenant as the DevOps Connector
Cloud security explorer	No	Yes	Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector

GitHub

Feature	Foundational CSPM	Defender CSPM	Prerequisites
Connect GitHub repositories	Yes	Yes	See GitHub onboarding prerequisites
Inventory of GitHub DevOps resources	Yes	Yes	GitHub connector
Security recommendations to fix DevOps environment misconfigurations	Yes	Yes	GitHub connector
Security recommendations to fix code vulnerabilities	Yes	Yes	Agentless code scanning (preview) for agentless scans, Microsoft Security DevOps action for in-pipeline scans, or GitHub Advanced Security for CodeQL scans
Security recommendations to fix Infrastructure as Code (IaC) misconfigurations	Yes	Yes	Agentless code scanning (preview) for agentless scans, or Microsoft Security DevOps action for in-pipeline scans
Security recommendations to discover exposed secrets	Yes	Yes	GitHub Advanced Security
Security recommendations to fix open source vulnerabilities	Yes	Yes	GitHub Advanced Security
Code to cloud mapping for Containers	No	Yes	Microsoft Security DevOps action
Attack path analysis	No	Yes	Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector
Cloud security explorer	No	Yes	Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector

GitLab

Feature	Foundational CSPM	Defender CSPM	Prerequisites
Connect GitLab projects	Yes	Yes	See GitLab onboarding prerequisites
Security recommendations to fix code vulnerabilities	Yes	Yes	GitLab Ultimate
Security recommendations to fix infrastructure as code (IaC) misconfigurations	Yes	Yes	GitLab Ultimate
Security recommendations to discover exposed secrets	Yes	Yes	GitLab Ultimate
Security recommendations to fix open source vulnerabilities	Yes	Yes	GitLab Ultimate
Cloud security explorer	No	Yes	Enable Defender CSPM on an Azure Subscription, AWS Connector, or GCP connector in the same tenant as the DevOps Connector

Feedback

Was this page helpful?

Last updated on 2025-12-11